Brandon Azad bazad

iOS security research

bazad / arm64_sysregs_ios.py

Created July 17, 2020 19:58

Label iOS arm64 system registers in IDA Pro

	#
	# arm64_sysregs_ios.py
	# Brandon Azad
	#
	# Based on https://github.com/gdelugre/ida-arm-system-highlight by Guillaume Delugre.
	#

	import idautils
	import idc

bazad / process_AArch64_SysReg_xml_v86A-2020-03.py

Created June 19, 2020 02:33

	import html
	import os
	import re

	directory = os.fsencode('SysReg_xml_v86A-2020-03')

	def output_reg(name, description, spec):
	assert(all(map(lambda x: type(x) == int, spec)))
	print("{:020b} 'S{}_{}_c{}_c{}_{}' : ( '{}', '{}' ),".format(
	(spec[0] << 16) + (spec[1] << 12) + (spec[2] << 8) + (spec[3] << 4) + (spec[4] << 0),

bazad / sep_firmware_split.py

Last active July 24, 2024 19:46

Split a decrypted Apple SEP firmware image into individual Mach-O files.

	#! /usr/bin/env python3
	#
	# sep_firmware_split.py
	# Brandon Azad
	#
	# Split a decrypted Apple SEP firmware image into individual Mach-O files.
	#
	# iPhone11,8 17C5053a https://twitter.com/s1guza/status/1203550760102969345
	# iPhone11,8 17E255 https://twitter.com/s1guza/status/1244683851957522435
	#

bazad / devicetree-iPhone12,3-17C54.txt

Last active March 22, 2024 08:21

iPhone12,3 17C54 device tree

	device-tree:
	target-type (5): "D421"
	mlb-serial-number (32): "C07947707R3LTPJB"
	compatible (27): "D421AP\0iPhone12,3\0AppleARM\0"
	secure-root-prefix (3): "md"
	AAPL,phandle (4): 0x1
	platform-name (32): "t8030"
	device_type (8): "bootrom"
	region-info (32): "LL/A"
	regulatory-model-number (32): "A2160"

bazad / find_kernel_base_checkra1n.c

Created November 21, 2019 02:46

A demo of one way to find the kernel base on iOS 13.2.2 on an iPhone 8 using the kernel task port as exposed by checkra1n 0.9.5.

	#include <assert.h>
	#include <mach/mach.h>
	#include <stdbool.h>
	#include <stdio.h>

	// ---- mach_vm.h ---------------------------------------------------------------------------------

	extern
	kern_return_t mach_vm_read_overwrite
	(

bazad / vmmap.c

Last active January 4, 2024 16:32

A simple vmmap implementation for macOS.

bazad / build-xnu-4903.241.1.sh

Created September 13, 2019 21:11

A script to build XNU version 4903.241.1 (macOS High Sierra 10.14.3) on macOS 10.14.6 with Xcode 9.4.1.

	#! /bin/bash
	#
	# build-xnu-4903.241.1.sh
	# Brandon Azad
	#
	# A script showing how to build XNU version 4903.241.1 (which corresponds to
	# macOS 10.14.3) on macOS High Sierra 10.14.6 with Xcode 9.4.1.
	#
	# Note: This process will OVERWRITE files in Xcode's MacOSX10.13.sdk. Make a
	# backup of this directory first!

bazad / if_value.h

Created September 11, 2019 22:44

A C preprocessor macro to test whether a macro parameter has a value.

bazad / A12-page-table-walk.c

Created May 17, 2019 05:22

A C implementation of a simple page table walk on A12 devices (iOS 12.1.2).

	uint64_t
	aarch64_page_table_lookup(uint64_t ttbr, uint64_t vaddr,
	uint64_t l1_tte_, uint64_t l2_tte_, uint64_t *l3_tte_) {
	const uint64_t pg_bits = 14;
	const uint64_t l1_size = 3;
	const uint64_t l2_size = 11;
	const uint64_t l3_size = 11;
	const uint64_t tte_physaddr_mask = ((1uLL << 40) - 1) & ~((1 << pg_bits) - 1);
	uint64_t l1_index = (vaddr >> (l2_size + l3_size + pg_bits)) & ((1 << l1_size) - 1);
	uint64_t l2_index = (vaddr >> (l3_size + pg_bits)) & ((1 << l2_size) - 1);

bazad / build-xnu-4903.221.2.sh

Created January 28, 2019 19:18

A script to build XNU version 4903.221.2 (macOS High Sierra 10.14.1) on macOS 10.14.1 with Xcode 9.4.1.

	#! /bin/bash
	#
	# build-xnu-4903.221.2.sh
	# Brandon Azad
	#
	# A script showing how to build XNU version 4903.221.2 (which corresponds to
	# macOS 10.14.1) on macOS High Sierra 10.14.1 with Xcode 9.4.1.
	#
	# Note: This process will OVERWRITE files in Xcode's MacOSX10.13.sdk. Make a
	# backup of this directory first!